fix: quote secret in kubectl create secret commands

[ChiragAgg5k]

Summary

• Quotes ${{ secrets.OPENAI_API_KEY }} in the kubectl create secret commands in both staging and production workflows
• Fixes CI failure where an unquoted secret with trailing whitespace/newline broke the \ line continuation, causing --dry-run=client to be interpreted as a standalone command

Test plan

• Verify staging deploy workflow passes the "Create application secrets" step
• Verify production deploy workflow passes the "Create application secrets" step

Summary by CodeRabbit

• Bug Fixes

  • Improved handling of empty document data to avoid unnecessary processing.

• Chores

  • Switched default server response mode from streaming to batched responses.
  • Changed deployment probes to TCP checks and added service session affinity settings.
  • Quoted secret values in CI/CD workflows and adjusted workflow triggers and gateway API versions for deployment compatibility.

[coderabbitai]

Warning

Rate limit exceeded

@ChiragAgg5k has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 2 minutes and 28 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

Walkthrough

This pull request: quotes GitHub Actions secret references (docker-username, docker-password, openai-api-key) in production and staging workflows and removes the push-on-main trigger from the staging workflow; changes startup/liveness/readiness probes from HTTP GET to TCP socket on port 1234; adds Service-level sessionAffinity and sessionAffinityTimeoutSeconds (values.yaml); upgrades Gateway and HTTPRoute apiVersion from gateway.networking.k8s.io/v1beta1 to v1; adds an early-return guard in scripts/init-vector-store.ts for empty chunks; changes default MCPServer responseMode in src/index.ts from "stream" to "batch". No public API signatures were altered.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately describes the main fix: quoting secrets in kubectl commands, which aligns with the primary changes in .github/workflows/staging.yml and .github/workflows/production.yml where secret values are wrapped in quotes.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into main

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/quote-secret-in-workflows

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

deploy/mcp-for-docs/templates/mcp-for-docs.yaml (1)

48-67: Switching all probes to tcpSocket reduces health-check fidelity.

TCP socket probes only confirm the port is accepting connections—they won't detect application-level issues (e.g., the process is listening but stuck or misconfigured). This is fine for startupProbe, but for livenessProbe and readinessProbe, an HTTP endpoint (or gRPC health check) gives stronger guarantees that the service is actually functional.

If the application doesn't expose an HTTP health endpoint (e.g., it's a pure SSE/WebSocket/MCP server), then tcpSocket is a pragmatic choice—just flagging the trade-off.

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/staging.yml (1)

59-64: Other secrets in shell commands are also unquoted.

The --docker-username and --docker-password values on lines 61–62 are equally susceptible to the same trailing whitespace/newline issue that broke the OpenAI secret. Consider quoting them for consistency and resilience.

Proposed fix

          kubectl -n mcp-for-docs create secret docker-registry ghcr \
            --docker-server=ghcr.io \
-            --docker-username=${{ secrets.GHCR_USERNAME }} \
-            --docker-password=${{ secrets.GHCR_TOKEN }} \
+            --docker-username="${{ secrets.GHCR_USERNAME }}" \
+            --docker-password="${{ secrets.GHCR_TOKEN }}" \
            --docker-email=ci@appwrite.io \
            --dry-run=client -o yaml | kubectl apply -f -

[coderabbitai]

🧹 Nitpick comments (1)

deploy/mcp-for-docs/templates/mcp-for-docs.yaml (1)

48-67: TCP probes are a weaker health signal than HTTP probes — consider adding a dedicated health endpoint long-term.

TCP socket probes only confirm the port is accepting connections, not that the application can serve requests. This is particularly relevant for readinessProbe, where a pod could be listening but unable to process MCP requests (e.g., vector store not loaded). If the MCP framework or your app can expose a lightweight HTTP health check (even on a separate port), that would be a stronger readiness signal.

Acceptable for now given the protocol constraints, but worth tracking as a follow-up.